CVE-2021-23840: Integer Overflow
First published: Tue Feb 16 2021(Updated: )
OpenSSL is vulnerable to a denial of service, caused by an integer overflow in CipherUpdate. By sending an overly long argument, an attacker could exploit this vulnerability to cause the application to crash.
Credit: openssl-security@openssl.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jbcs-httpd24-apr | <0:1.6.3-107.el8 | 0:1.6.3-107.el8 |
| redhat/jbcs-httpd24-apr-util | <0:1.6.1-84.el8 | 0:1.6.1-84.el8 |
| redhat/jbcs-httpd24-curl | <0:7.78.0-2.el8 | 0:7.78.0-2.el8 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-78.el8 | 0:2.4.37-78.el8 |
| redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-39.el8 | 0:1.39.2-39.el8 |
| redhat/jbcs-httpd24-openssl | <1:1.1.1g-8.el8 | 1:1.1.1g-8.el8 |
| redhat/jbcs-httpd24-openssl-chil | <0:1.0.0-7.el8 | 0:1.0.0-7.el8 |
| redhat/jbcs-httpd24-openssl-pkcs11 | <0:0.4.10-22.el8 | 0:0.4.10-22.el8 |
| redhat/jbcs-httpd24-apr | <0:1.6.3-107.jbcs.el7 | 0:1.6.3-107.jbcs.el7 |
| redhat/jbcs-httpd24-apr-util | <0:1.6.1-84.jbcs.el7 | 0:1.6.1-84.jbcs.el7 |
| redhat/jbcs-httpd24-curl | <0:7.78.0-2.jbcs.el7 | 0:7.78.0-2.jbcs.el7 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-78.jbcs.el7 | 0:2.4.37-78.jbcs.el7 |
| redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-39.jbcs.el7 | 0:1.39.2-39.jbcs.el7 |
| redhat/jbcs-httpd24-openssl | <1:1.1.1g-8.jbcs.el7 | 1:1.1.1g-8.jbcs.el7 |
| redhat/jbcs-httpd24-openssl-chil | <0:1.0.0-7.jbcs.el7 | 0:1.0.0-7.jbcs.el7 |
| redhat/jbcs-httpd24-openssl-pkcs11 | <0:0.4.10-22.jbcs.el7 | 0:0.4.10-22.jbcs.el7 |
| redhat/openssl | <1:1.0.2k-22.el7_9 | 1:1.0.2k-22.el7_9 |
| redhat/edk2 | <0:20210527gite1999b264f1f-3.el8 | 0:20210527gite1999b264f1f-3.el8 |
| redhat/openssl | <1:1.1.1k-4.el8 | 1:1.1.1k-4.el8 |
| redhat/jws5-tomcat | <0:9.0.50-3.redhat_00004.1.el7 | 0:9.0.50-3.redhat_00004.1.el7 |
| redhat/jws5-tomcat-native | <0:1.2.30-3.redhat_3.el7 | 0:1.2.30-3.redhat_3.el7 |
| redhat/jws5-tomcat-vault | <0:1.1.8-4.Final_redhat_00004.1.el7 | 0:1.1.8-4.Final_redhat_00004.1.el7 |
| redhat/jws5-tomcat | <0:9.0.50-3.redhat_00004.1.el8 | 0:9.0.50-3.redhat_00004.1.el8 |
| redhat/jws5-tomcat-native | <0:1.2.30-3.redhat_3.el8 | 0:1.2.30-3.redhat_3.el8 |
| redhat/jws5-tomcat-vault | <0:1.1.8-4.Final_redhat_00004.1.el8 | 0:1.1.8-4.Final_redhat_00004.1.el8 |
| OpenSSL OpenSSL | >=1.0.2<1.0.2y | |
| OpenSSL OpenSSL | >=1.1.1<1.1.1j | |
| Debian Debian Linux | =10.0 | |
| Tenable Log Correlation Engine | <6.0.8 | |
| Tenable Nessus Network Monitor | =5.11.0 | |
| Tenable Nessus Network Monitor | =5.11.1 | |
| Tenable Nessus Network Monitor | =5.12.0 | |
| Tenable Nessus Network Monitor | =5.12.1 | |
| Tenable Nessus Network Monitor | =5.13.0 | |
| Oracle Business Intelligence | =5.5.0.0.0 | |
| Oracle Business Intelligence | =5.9.0.0.0 | |
| Oracle Business Intelligence | =12.2.1.3.0 | |
| Oracle Business Intelligence | =12.2.1.4.0 | |
| Oracle Communications Cloud Native Core Policy | =1.15.0 | |
| Oracle Enterprise Manager For Storage Management | =13.4.0.0 | |
| Oracle Enterprise Manager Ops Center | =12.4.0.0 | |
| Oracle GraalVM | =19.3.5 | |
| Oracle GraalVM | =20.3.1.2 | |
| Oracle GraalVM | =21.0.0.2 | |
| Oracle Jd Edwards Enterpriseone Tools | <9.2.6.0 | |
| Oracle Jd Edwards World Security | =a9.4 | |
| Oracle Mysql Server | <5.7.33 | |
| Oracle Mysql Server | >=8.0.15<8.0.23 | |
| Oracle Nosql Database | <20.3 | |
| McAfee ePolicy Orchestrator | <5.10.0 | |
| McAfee ePolicy Orchestrator | =5.10.0 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_1 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_10 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_2 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_3 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_4 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_5 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_6 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_7 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_8 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_9 | |
| Fujitsu M10-1 Firmware | <xcp2410 | |
| Fujitsu M10-1 | ||
| Fujitsu M10-4 Firmware | <xcp2410 | |
| Fujitsu M10-4 | ||
| Fujitsu M10-4s Firmware | <xcp2410 | |
| Fujitsu M10-4s | ||
| Fujitsu M12-1 Firmware | <xcp2410 | |
| Fujitsu M12-1 | ||
| Fujitsu M12-2 Firmware | <xcp2410 | |
| Fujitsu M12-2 | ||
| Fujitsu M12-2s Firmware | <xcp2410 | |
| Fujitsu M12-2s | ||
| Fujitsu M10-1 Firmware | <xcp3110 | |
| Fujitsu M10-4 Firmware | <xcp3110 | |
| Fujitsu M10-4s Firmware | <xcp3110 | |
| Fujitsu M12-1 Firmware | <xcp3110 | |
| Fujitsu M12-2 Firmware | <xcp3110 | |
| Fujitsu M12-2s Firmware | <xcp3110 | |
| Nodejs Node.js | >=10.0.0<=10.12.0 | |
| Nodejs Node.js | >=10.13.0<10.24.0 | |
| Nodejs Node.js | >=12.0.0<=12.12.0 | |
| Nodejs Node.js | >=12.13.0<12.21.0 | |
| Nodejs Node.js | >=14.0.0<=14.14.0 | |
| Nodejs Node.js | >=15.0.0<15.10.0 | |
| Nodejs Node.js | =14.15.0 | |
| debian/openssl | 1.1.1n-0+deb10u3 1.1.1n-0+deb10u6 1.1.1w-0+deb11u1 1.1.1n-0+deb11u5 3.0.11-1~deb12u2 3.1.4-2 | |
| redhat/openssl | <1.1.1 | 1.1.1 |
| redhat/openssl | <1.0.2 | 1.0.2 |
| IBM Cognos Analytics | <=12.0.0-12.0.1 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP2 | |
| IBM Cognos Analytics | <=11.1.1-11.1.7 FP7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-23840 https://nvd.nist.gov/vuln/detail/CVE-2021-23840 https://www.openssl.org/news/secadv/20210216.txt
- https://bugzilla.redhat.com/show_bug.cgi?id=1930324
- https://access.redhat.com/errata/RHSA-2021:4614
- https://access.redhat.com/errata/RHSA-2021:3016
- https://access.redhat.com/errata/RHSA-2021:3798
- https://access.redhat.com/errata/RHSA-2021:4198
- https://access.redhat.com/errata/RHSA-2021:4424
- https://access.redhat.com/errata/RHSA-2021:4613
- https://access.redhat.com/errata/RHSA-2021:4863
- https://access.redhat.com/errata/RHSA-2021:4861
- https://access.redhat.com/security/cve/cve-2021-23840
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846
- https://kc.mcafee.com/corporate/index?page=content&id=SB10366
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
- https://security.gentoo.org/glsa/202103-03
- https://security.netapp.com/advisory/ntap-20210219-0009/
- https://www.debian.org/security/2021/dsa-4855
- https://www.openssl.org/news/secadv/20210216.txt
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.tenable.com/security/tns-2021-03
- https://www.tenable.com/security/tns-2021-09
- https://www.tenable.com/security/tns-2021-10
- https://security-tracker.debian.org/tracker/CVE-2021-23840
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1930328
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1930327
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1930325
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1930326
- https://github.com/openssl/openssl/commit/6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/errata/RHSA-2021:1168
- https://exchange.xforce.ibmcloud.com/vulnerabilities/196848
- https://www.ibm.com/support/pages/node/7123154 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for this OpenSSL vulnerability?
The vulnerability ID for this OpenSSL vulnerability is CVE-2021-23840.
What is the severity of CVE-2021-23840?
CVE-2021-23840 has a severity level of high.
What is the impact of CVE-2021-23840?
CVE-2021-23840 can cause a denial of service (DoS) due to an integer overflow in CipherUpdate.
How can I fix CVE-2021-23840?
To fix CVE-2021-23840, update OpenSSL to the recommended version provided by the vendor.
Where can I find more information about CVE-2021-23840?
You can find more information about CVE-2021-23840 on the IBM X-Force Exchange website and the OpenSSL website.
- collector/redhat-cve
- collector/nvd-index
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/author
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-23840
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/weakness
- agent/softwarecombine
- agent/event
- agent/tags
- collector/ibm-support
- source/IBM
- package-manager/redhat
- vendor/openssl
- canonical/openssl openssl
- version/openssl openssl/1.0.2
- version/openssl openssl/1.1.1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- vendor/tenable
- canonical/tenable log correlation engine
- canonical/tenable nessus network monitor
- version/tenable nessus network monitor/5.11.0
- version/tenable nessus network monitor/5.11.1
- version/tenable nessus network monitor/5.12.0
- version/tenable nessus network monitor/5.12.1
- version/tenable nessus network monitor/5.13.0
- vendor/oracle
- canonical/oracle business intelligence
- version/oracle business intelligence/5.5.0.0.0
- version/oracle business intelligence/5.9.0.0.0
- version/oracle business intelligence/12.2.1.3.0
- version/oracle business intelligence/12.2.1.4.0
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.15.0
- canonical/oracle enterprise manager for storage management
- version/oracle enterprise manager for storage management/13.4.0.0
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/12.4.0.0
- canonical/oracle graalvm
- version/oracle graalvm/19.3.5
- version/oracle graalvm/20.3.1.2
- version/oracle graalvm/21.0.0.2
- canonical/oracle jd edwards enterpriseone tools
- canonical/oracle jd edwards world security
- version/oracle jd edwards world security/a9.4
- canonical/oracle mysql server
- version/oracle mysql server/8.0.15
- canonical/oracle nosql database
- vendor/mcafee
- canonical/mcafee epolicy orchestrator
- version/mcafee epolicy orchestrator/5.10.0
- version/mcafee epolicy orchestrator/5.10.0-update_1
- version/mcafee epolicy orchestrator/5.10.0-update_10
- version/mcafee epolicy orchestrator/5.10.0-update_2
- version/mcafee epolicy orchestrator/5.10.0-update_3
- version/mcafee epolicy orchestrator/5.10.0-update_4
- version/mcafee epolicy orchestrator/5.10.0-update_5
- version/mcafee epolicy orchestrator/5.10.0-update_6
- version/mcafee epolicy orchestrator/5.10.0-update_7
- version/mcafee epolicy orchestrator/5.10.0-update_8
- version/mcafee epolicy orchestrator/5.10.0-update_9
- vendor/fujitsu
- canonical/fujitsu m10-1 firmware
- canonical/fujitsu m10-1
- canonical/fujitsu m10-4 firmware
- canonical/fujitsu m10-4
- canonical/fujitsu m10-4s firmware
- canonical/fujitsu m10-4s
- canonical/fujitsu m12-1 firmware
- canonical/fujitsu m12-1
- canonical/fujitsu m12-2 firmware
- canonical/fujitsu m12-2
- canonical/fujitsu m12-2s firmware
- canonical/fujitsu m12-2s
- vendor/nodejs
- canonical/nodejs node.js
- version/nodejs node.js/10.0.0
- version/nodejs node.js/10.12.0
- version/nodejs node.js/10.13.0
- version/nodejs node.js/12.0.0
- version/nodejs node.js/12.12.0
- version/nodejs node.js/12.13.0
- version/nodejs node.js/14.0.0
- version/nodejs node.js/14.14.0
- version/nodejs node.js/15.0.0
- version/nodejs node.js/14.15.0
- package-manager/debian
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.1
- version/ibm cognos analytics/11.2.0-11.2.4 fp2
- version/ibm cognos analytics/11.1.1-11.1.7 fp7